Flavio

**Name of the Vulnerable Software and Affected Versions** kubewarden-controller versions prior to 1.21.0 **Description** The issue concerns the validation of namespaced resources by AdmissionPolicy and AdmissionPolicyGroup policies in kubewarden-controller. An attacker can exploit this to prevent the creation and update of PolicyReport objects, which contain lists of non-compliant objects found inside a namespace, thereby hiding non-compliant resources. Additionally, a mutating AdmissionPolicy can alter the contents of PolicyReport resources. The validation rules have been tightened starting from version 1.21.0 to prevent the validation of sensitive types of namespaced resources. **Recommendations** For versions prior to 1.21.0, apply the provided Kubewarden policy to prevent the creation of AdmissionPolicy and AdmissionPolicyGroup resources that interact with PolicyReport resources. The policy, named "deny-interaction-with-policyreport", restricts the usage of wildcards when defining apiGroups and resources rules for AdmissionPolicy and AdmissionPolicyGroup objects, and prevents these policies from targeting PolicyReport resources. For versions prior to 1.21.0, consider updating to version 1.21.0 or later, where the validation rules applied to AdmissionPolicy and AdmissionPolicyGroup have been tightened to prevent them from validating sensitive types of namespaced resources. As a temporary workaround, consider restricting access to the `PolicyReport` resources to minimize the risk of exploitation. Avoid using the `admissionpolicies` and `admissionpolicygroups` resources in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** kubewarden-controller versions 1.17.0 through 1.20.x **Description** The issue allows an attacker to obtain information about resources that are out of their reach by leveraging a higher access to the cluster granted to the ServiceAccount token used to run the policy. The impact of this issue depends on the privileges that have been granted to the ServiceAccount used to run the Policy Server and assumes that users are using the recommended best practices of keeping the Policy Server's ServiceAccount least privileged. By default, the Kubewarden helm chart grants access to the following resources only: Namespace, Pod, Deployment, and Ingress. Kubewarden policies can be allowed to query the Kubernetes API at evaluation time, and these types of policies are called "context aware". Context aware policies can perform list and get operations against a Kubernetes cluster using the `ServiceAccount` of the Policy Server instance that hosts the policy. **Recommendations** For versions 1.17.0 through 1.20.x, update to version 1.21.0 or later to resolve the issue. As a temporary workaround for versions prior to 1.21.0, consider applying a Kubewarden policy to prevent the creation of AdmissionPolicyGroup resources that have access to Kubernetes resources, such as the policy provided in the OSV description. Restrict access to the `AdmissionPolicyGroup` resource to minimize the risk of exploitation. Avoid using context aware policies until the issue is resolved.